For inquiries about GlobalPlatform or website assistance, contact secretariat@globalplatform.org.

Back to all Blogs

Wake Up and Smell the Coffee: How IoT Manufacturers Can Prepare for the Cyber Resilience Act

By Carlos Serratos, SESIP Ecosystem Adoption WG Chair, GlobalPlatform

In December 2024, the European Union formally adopted the Cyber Resilience Act (CRA), launching a 36-month countdown for manufacturers of IoT devices to comply with stringent new cybersecurity regulations. The law covers almost all devices that connect to the internet, spanning everything from baby monitors to industrial Programmable Logic Controllers (PLCs). The goal is to ensure products are “secure by design” across their entire lifecycle.

The standards industry has been preparing for this shift for years. But many IoT original equipment manufacturers (OEMs) remain in the dark about how the CRA will impact their business in one of the world’s largest trading blocs.

Consider a company that produces smart coffee machines. Its expertise lies in designing and manufacturing high-quality appliances, not in the cybersecurity capabilities of the components embedded in the coffee machine, such as microcontrollers, software libraries, and operating systems. Yet, under the CRA, every component in a connected device must soon comply with the new rules. If an OEM cannot show conformance by the 2027 deadline, it will be unable to secure the CE mark required to sell products in the EU.

Navigating a complex regulatory landscape

It is estimated that up to 90 percent of a connected device’s security functionality derives from the integrated components used in the product. This means that manufacturers must carefully assess their entire supply chain, ensuring that every chipset, software module, and connectivity component adheres to CRA requirements. Failing to do so could result in expensive redesigns, supply chain disruptions, and, ultimately, loss of market access.

This presents major challenges for OEMs unfamiliar with the regulations. The coffee machine maker must now assess the security of each third-party component within its smart coffee machine. It is their responsibility to demonstrate, for example, that the underlying microcontroller is secure enough.

Adding to the difficulty is the fragmented regulatory landscape. Security standards vary not just by geography but also by application. A microcontroller can be used, for example, in a consumer product compliant with EN 303 645 but if used in an industrial setting it might need to comply with IEC 62443. Figuring out which components are suitable for which products suddenly becomes a complex challenge.

Evaluate only once, repeat as necessary

By verifying individual components once and reusing them across different products and markets, OEMs—such as the coffee machine maker—can quickly build the capabilities needed to become CRA compliant without having to become cybersecurity experts. They no longer need to develop in-house cryptography expertise to securely connect the coffee machine to the internet—they can simply trust that their certified components can do the job.

This is why the Security Evaluation Standard for IoT Platforms (SESIP) is a game changer. SESIP is a standardized framework that simplifies security evaluation for IoT devices by providing a common methodology for assessing and certifying the security capabilities from components and platforms used on those devices.

By selecting a component—such as a microcontroller—that has achieved the appropriate level of SESIP certification, the OEM receives assurances that the necessary security requirements have been correctly implemented by their supplier. It allows them to make informed decisions on components without having to perform security evaluations each time.

Meanwhile, the SESIP-compliant component supplier demonstrates the security of its products in a standardized, repeatable way. This reduces the cost and complexity of security evaluations, and gives them ability to extend their components into new use cases and industry sectors.

A platform for launching secure products

The SESIP methodology is already being used to certify components, platforms, and modules from a range of companies and is supported by a growing ecosystem of security providers, certification bodies, security laboratories, and other stakeholders. SESIP is recognized as a European standard (EN 17927) and aligns with other regulatory frameworks and certification schemes globally, including the Cyber Trust Mark in the US.

By adopting SESIP, OEMs and their supply chains can streamline CRA compliance, reduce complexity, and accelerate time to market. As the 2027 deadline for CRA compliance approaches, embracing SESIP will be key to ensuring the IoT industry can stay ahead of regulatory demands and focus on building secure connected products.

Join us at the EU Cyber Acts Conference in Brussels for the IoT Cyber Compliance Day (25 March) to find out more about how the industry can prepare for the Cyber Resilience Act.

If you are a media representative, analyst, or conference organizer with a question, please email us at: pressoffice@globalplatform.org

Chat with us
GlobalPlatform
Hey There!

It seems you are using an outdated browser, unfortunately this means that our website will not render properly for you. Update your browser to view this website correctly.

GOOGLE CHROME
DOWNLOAD
FIREFOX
DOWNLOAD
MICROSOFT EDGE
DOWNLOAD